Skip to content

Run Unleashed 200.14 on the Ruckus R730

The R730 has similar hardware to the R850, so can be converted to run Unleashed versions up to 200.14.

DANGER

Ruckus 200.15+ releases aren't compatible with the R730, so they will rollback your upgrade.
Please don't try to upgrade past the 200.14.6.1.203 release.

NOTE

The steps below assume the AP is plugged directly into your computer.
If your AP is plugged into a switch and is picking up an IP address via DHCP then you will have to substitute its assigned IP address anywhere the text 192.168.0.1 appears below.

Download and extract vulnerable R730 firmware

Download the ZoneDirector 10.1.2.0.120 Software Release, which contains a vulnerable R730 AP image.

Your internet browser can extract the R730 AP Image from the ZoneDirector Software Image.

Manual Extraction Steps

Decrypt the image, then use an archive tool like 7-Zip to extract the firmwares/ap-patch/patch000/ap-arm-11ax/10.1.2.0.120/rcks_fw.bl7.main AP image file.

Install the vulnerable firmware

Login to the AP's web administration interface.

TIP

You may need to do a factory reset (by sticking a pin in the reset hole for a few seconds) if you don't know the username & password.

The default username is "super", password is "sp-admin".

TIP

Your browser will show a security warning. This is normal and you should choose Advanced and then click through to the website by pressing Accept the Risk and Continue or Continue to 192.168.0.1 (unsafe) (the exact wording will vary depending on your browser).

Upgrade the firmware

Navigate to Maintenance > Upgrade.
Choose Upgrade Method: Local and press the Local File Name: Browse... button and select the R730_10.1.2.0.120.bl7 or rcks_fw.bl7.main firmware file you extracted above.
Choose Perform Upgrade.

TIP

The upgrade will take a few minutes.

SSH to the AP

console
$ ssh -oHostKeyAlgorithms=+ssh-rsa 192.168.0.1

Perform command injection

console
rkscli: Ruckus

Now type ";/bin/sh;" including the quotes and hit enter (you won't be able to see what you're typing)

console
grrrr

TIP

Instead of grrrr, another dog noise could be printed to the screen.

Escape to shell

console
rkscli: !v54!
What's your chow:

Now hit enter

console
BusyBox v1.15.2 (2015-07-21 22:07:19 PDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

#

You now have a root shell.

TIP

If you don't see a BusyBox shell prompt, and instead see just the rkscli: prompt then the injection hasn't worked.
Repeat the command injection step, ensuring you type ";/bin/sh;" including the quotes.

Store R850 model information

console
# bsp set name R850
# bsp set model R850
# bsp commit

You will see something like this:-

console
Saving flash .....
bdSave: sizeof(bd)=0x7c, sizeof(rbd)=0xd0
  caching flash data from /dev/mtd3 [ 0x00000000 - 0x00010000 ]
  updating flash data [0x00000000 - 0x0000007c] from [0x7f8a7ac8 - 0x7f8a7b44]
  updating flash data [0x00008000 - 0x000080d0] from [0x7f8a7b44 - 0x7f8a7c14]
_erase_flash: offset=0x0 count=1
Erase Total 1 Units
Performing Flash Erase of length 262144 at offset 0x0 done
  caching flash data from /dev/mtd3 [ 0x00000000 - 0x00010000 ]
  verifying flash data [0x00000000 - 0x0000007c] from [0x7f8a7ac8 - 0x7f8a7b44]
  verifying flash data [0x00008000 - 0x000080d0] from [0x7f8a7b44 - 0x7f8a7c14]
... Changes saved to flash

You should now immediately install Unleashed.

WARNING

Especially do not factory reset the AP until you've installed the Unleashed firmware.

Install Unleashed 200.14

Login to the AP's web administration interface.

TIP

Your browser will show a security warning. This is normal and you should choose Advanced and then click through to the website by pressing Accept the Risk and Continue or Continue to 192.168.0.1 (unsafe) (the exact wording will vary depending on your browser).

Upgrade to Ruckus Unleashed

I assume you have downloaded Ruckus R850 Unleashed 200.14 firmware.

Navigate to Maintenance > Upgrade.
Choose Upgrade Method: Local and press the Local File Name: Browse... button and select your Ruckus R850 Unleashed firmware file.
Choose Perform Upgrade.

TIP

The upgrade will take several minutes. You probably won't be able to reconnect for a few minutes after the web administration interface says the upgrade is finished.

Notes

  • The R730 reportedly has issues with 160Mhz wide channels, so it's best to limit channel width to 80Mhz or less.

  • If your AP is broadcasting an extra Technical.Support-xxxx SSID after you've finished setting up Unleashed, then you can try enabling Unleashed Multi-Site Manager (Admin & Services >Administration > Network Management > Unleashed Multi-Site Manager) with an unreachable IP, then immediately disabling it again.

Reverting to R730 fimware

Install vulnerable firmware

Download and install vulnerable Unleashed firmware and then use this to escape to a root shell.

Store R730 model information

console
ruckus$ bsp set name R730
ruckus$ bsp set model R730
ruckus$ bsp commit

Install Solo firmware

I assume

  • you have a tftp server running
  • you have downloaded the latest Ruckus R730 Solo firmware
  • you copied the firmware to the tftp server's content directory
console
ruckus$ fw set proto tftp
ruckus$ fw set port 69
ruckus$ fw set host <TFTP server IP>
ruckus$ fw set control <R730 Solo firmware filename>
ruckus$ fw update
ruckus$ reboot

Released under the BSD Zero Clause License.